Enabling a Secure Remote Workforce to Support Business Continuity

Speaker: Nir Zuk, Founder & CTO, Palo Alto Networks


Palo Alto Networks CTO and Founder Nir Zuk shares his insights into how organizations can securely enable their entire workforce to work remotely. He discusses which architectures are successful and which are failing and he shares best practices and stories from customers who are going through the transformation to virtual workforce as we speak. Given the challenges of the environment COVID-19 has created, this is a great time to get Nir’s perspective on how to securely connect and scale your mobile workforce.


Learn more about how Palo Alto Networks is helping our customers maintain secure remote workforces and maintain business continuity through COVID-19.





Nir Zuk:

Hi everyone, Nir Zuk, founder of Palo Alto Networks here, recording this presentation from my home office as you can see, my messy home office. I think a lot of us are in this situation right now and it's okay. What I want to talk about today is how to make this work in a secure way for your employees without compromising on security and without overwhelming infrastructure.


End user machines, whether these are desktops, laptops, and in some cases mobile devices, are a primary factor for going after your applications and after your data. In many cases, the easiest path for adversaries to get into your data centers, whether these are physical data centers or cloud-based data centers, public cloud, SAS applications. The easiest path to get into those in many cases is through an endpoint that is allowed to go there. So, rather than trying to go straight into the data center, which in many cases is challenging, the adversaries would first try to get a foothold on an end user machine. And then, from there, go into the data center.


I'll talk about three approaches that we see in the market today. The first one is a full-tunnel VPN, where you run all the endpoint traffic all the time through your remote access solution. A split-tunnel VPN where some of the traffic runs through the remote access solution and some of the traffic goes straight out to the internet and the cloud proxy, which I'll describe in a few minutes.


So with full-tunnel VPN, we take the traffic from the mobile user, whether it's a laptop or a mobile device, bring it to the data center, traffic that needs to stay in the data center, meaning traffic that is destined to applications in the data center stays there, and the other traffic, whether it's internet traffic, internet browsing or traffic going to SAS applications like email and sales force management and ticketing and so on, as well as traffic going to public cloud applications goes out to the internet from there.


This is a secure solution, meaning endpoints, the end user devices, are as secure in this use case as if they were on premise, because all the traffic goes all the time through your entire security stack, which is sitting in the data center, whether the machine is on premise or not. Of course, in some cases users are allowed to turn off the full-tunnel VPN and only use it when they need to access applications. And in other cases, they just go straight out to the internet, and that is insecure because when they go out straight to the internet, their endpoints are not protected by your entire security stack, which means that they are vulnerable, they'll get infected or owned at that point, and then when they connect to the VPN, the attack will continue and the attacker will now be able to get into the data center riding the VPN connection.


And of course, in terms of scalability, the challenge that a lot of organizations are facing is that when your entire workforce has to come through that VPN, there is a scalability challenge with the hardware that's enabling that VPN, and organizations are scrambling to add more and more hardware to try to accommodate that. And there is even a bigger challenge with the internet connection. Meaning, if you have now thousands, tens of thousands, and we've seen hundreds of thousands of users connecting 24/7 through your data centers, the internet link of that data center to the internet now needs to have enough capacity to receive all that traffic. Plus, of course, the other traffic that comes in naturally from the internet, like customer traffic.


And of course, that entire traffic also has to then go out, or at least the traffic that's not bound to the local data center needs to go out. And we're seeing that as even a bigger challenge among customers and non-customers, where it's not the hardware that is failing first in terms of scalability, but rather the internet links are the ones that are failing. And of course, that's a much harder solution to solve quickly. It takes a while to fix that, if at all possible. So that's a full-tunnel VPN approach. Now, of course, because of what I just mentioned, because of the traffic challenges and the performance challenges with the hardware that enables the remote access, some customers are thinking about moving to split-tunnel VPN.


And with split-tunnel VPN, what you do is you only send traffic that goes into data center applications through the secure VPN connection, and the rest of the traffic you allow to go out straight to the internet, whether it's internet traffic or traffic going to your public cloud and SAS applications. Of course, the challenge here is that the mobile device is not secure the entire time, and if the mobile device is connected the entire time you actually created now a proxy for the adversaries to get into your data center. You have a machine outside of your infrastructure that is both connected to the internet and connected to the data center. This is of course very, very dangerous and very lucrative for an adversary that's trying to get into your data center.


I strongly recommend against using split-tunnels. It's the worst thing you can do. It's much worse of course than running all the traffic through the data center and it's much worse than not allowing traffic into the data center at all. It's the most insecure way of doing it. In terms of scalability, it's certainly much more scalable because let's say only 20% of the traffic is bound to the data center and you have five times the capacity, versus if the entire traffic has to go to the data center, but we're still seeing capacity issues both on the hardware side and certainly on the internet link side.


The other solution that we've seen customers looking at is using a cloud proxy. Meaning rather than running a VPN to the data center, you install PAC files, proxy access configuration files, on the mobile devices and you instruct the mobile device to go through a proxy. The traffic goes through a proxy using SSL encryption and certificates which is pretty secure, and then from there the proxy sends some of the traffic to the internet and some traffic goes back to the data center. The challenge with that is that proxies don't secure all ports and protocols. They only secure web traffic, sometimes FTP traffic.


Other traffic coming in and out of the mobile device is not going to be secure whether it's gaming traffic, because someone decided that now that you don't secure them they can play games on the laptop, whether it's traffic that is originated by malware. Malware doesn't have to look at the PAC file and go through the proxy and malware doesn't have to use HTTP, HTTPS for command and control. And also, it's relatively easy for power users and less than power users to install browsers on the mobile devices that don't look at the proxy file, the proxy configuration file, and just go straight out to the internet.


So this is an insecure way. It only works for users that really are doing very, very basic things and don't know or don't want to bypass the proxy. And frankly we're seeing that mostly as a compliance tool. Meaning, if you're an organization, you need to check a box for your auditors that your mobile users are secure. This is probably the easiest way to set it up. Most auditors will accept it and you'll be fine.


And then other challenges on the security side that we're seeing is that those cloud proxy vendors use subpar mediocre security tools. One of the more popular cloud proxy vendors literally gets their sandbox from a company called Joe Security, I'm not kidding you, Joe Security. Their sandbox is not going to be as robust as the sandbox that you use day to day for traffic originating from your network mobile traffic. When users are on your network, the IDS is not going to be as good, the URL filter will not be as good, the anti malware will not be as good. It's not going to hook up to your IOT security apparatus, it's not going to hook up to your behavior analytics, on network traffic analysis operator, and so on. It's mediocre security. Again, it's a checkbox, it's a compliance tool.


And we're also seeing customers despite promises from those proxy vendors hitting serious scalability challenges. A lot of these proxies to save costs are implemented in multi-tenant way with multi-tenant architectures, and are just crumbling. We're seeing of one customer being affected by traffic of other customers, and latencies are going up and when we get called in on a Friday to fix that issue and by a Wednesday of the following week we have tens of thousands of users up and running on on our solution, which I'll describe in a second. We're seeing users having goodbye proxy parties. That's how bad these proxies can be.


So what can we do? What can we do to secure? So Palo Alto Networks, a few years ago, we created a cloud native solution called Prisma Access. Where Prisma Access is a cloud delivered solution that is based on a true firewall. It's a single tenant architecture. It secures all ports and all protocols. Of course, it secures all applications. And given that it's using Palo Alto Networks security, which is considered best of grade across everything that we do, that's how we've become the number one cybersecurity vendor in the world. It provides at least the same level of security that you would get if these users were on premise. So whether the users are on premise and the traffic goes out to the internet, to your traditional security stack, or whether they are mobile users and it goes to Prisma Access.


The security is the same. And maybe to double click a little bit into Prisma Access and explain what Prisma access is, at the core, Prisma Access is a worldwide network. It's a private network. It's an IP VPN, it's a private network. It has Palo Alto Networks' full security capabilities embedded in it. So a next generation firewall with all the different subscription services, the different functions that it does, as well as our CASB called Prisma SaaS, deployed in there. And you can choose what kind of security to apply to which traffic. In general, that solution applies to branch offices which connect to Prisma Access via SD1 or IPSec, and it applies to partners that connect to this solution via IPSec or client list VPN for remote workforce. Most of our customers would connect with our mobile device VPN client, which runs on Apple iOS, Android, Chrome OS, and of course Windows, Mac OS, Linux.


And from there on that private network, once it goes to the full Palo Alto Networks inspection capabilities, that traffic is routed to its destination. With SLAs, so you get SLAs that are very similar to the SLAs that you get with the MPLS. The SLAs are in the low, tens of milliseconds in in many, many, many cases. The SLAs are given to most popular SaaS applications, public clouds, and with the exception of the last mile going into your headquarter and data center applications we provide SLAs around that. To get all to the network, we have more than a hundred PoPs, a hundred locations around the world.


In terms of capacity, we have virtually unlimited network capacity. We are using the number one networking in the world, which is Google's network. Google has two networks. They have the regular network and their premium network. We are one of the few that are using their premium network. So there is a virtually unlimited capacity in terms of being able to accept those connections and deliver packets to their destination. You don't depend on internet congestions because again, this is all running on a private network.


It's a single tenant solution so you don't get affected by other tenants, not from a performance perspective and not from a security perspective. And the scalability of course works by automatically we take care of all of that by adding or removing capacity as required. So if users move around or if all of the sudden we get a surge or thousands or tens of thousands of users, we will auto scale the solution and then when users move to other locations or turn off the computers or whatever, we will scale back. Of course, we don't charge for that. It's all included in the service and we are responsible for running the infrastructure, you're responsible for pushing policies.


We even allow mixing and matching between this cloud-delivered solution, Prisma Access, and our traditional remote access VPN solution called Global Protect, so your gateways can be both cloud delivered with Prisma Access or traditional ones with hardware and even VMs. We have customers now that are increasing on-premise capacity, not with hardware but with our VM series which is fully compatible with the hardware. And then the policies that you are responsible for pushing are the same policies going to the physical firewall, the virtual firewall, and this cloud delivered solution, Prisma Access.


That's all I had. Thank you very much. If you need anything, please email this or you can email me directly if you have any questions. I'll be happy to have a one on one meeting with of course any of you, whether it's through our executive briefing center, which is now all virtual or just us. Again, thanks a lot. Be safe. I hope this is going to be behind us very, very quickly, and until then we are here to help you. Goodbye.